On Sat, 8 Oct 2016, Pascal Meunier wrote:
: I think that problem belongs to scanner vendors or the NVD, who
should
: worry about which vendors exactly are affected, which software
versions,
That is why the industry is in horrible shape. NVD doesn't even try to
keep up with vendors impacted to that degree. I'm sure if they tried,
they
would ask for a lot more money to do so.
: and which advisories apply to which, and which to report in the
scanner
: findings. It reminds me of Steve's mantra, "the CVE is not a
: vulnerability database". Based on that mantra and your argumentation
: being based on what a full-service vulnerability database can or
should
: do ideally, I believe the CVE should not be distorted for it.
Besides,
I had long debates with Christey over his mantra for many years, which
I
think is absurd personally. While we appreciate each other's arguments,
the fact is almost every major security vendor that relies on
vulnerability information uses CVE, and treats it like a VDB. More
telling, is that every commercial VDB out there shares a common "#1
competition", and it isn't each other at all. CVE/NVD are the reason
companies opt not to pay for better vulnerability intelligence. So use
whatever term you want, it is completely irrelevant as far as the
practical use as seen in the wild today.
: I bet most scanners would report *all* such CVEs if they could not
: determine the vendor, and count them as individual findings against
the
Nessus certainly wouldn't.
Brian